Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.

While it is important to understand the policies that require agencies to develop and implement awareness and training, it is crucial that agencies understand who has responsibility for IT security awareness and training. This section identifies and describes those within an organization that have responsibility for IT security awareness and training.

A successful IT security program consists of: 1) developing IT security policy that reflects business needs tempered by known risks; 2) informing users of their IT security responsibilities, as documented in agency security policy and procedures; and 3) establishing processes for monitoring and reviewing the program.

Awareness is not training. The purpose of awareness presentations is simply to focus
attention on security. Awareness presentations are intended to allow individuals to
recognize IT security concerns and respond accordingly. In awareness activities the
learner is a recipient of information, whereas the learner in a training environment has a
more active role. Awareness relies on reaching broad audiences with attractive
packaging techniques. Training is more formal, having a goal of building knowledge and
skills to facilitate job performance.

The »Training« level of the learning continuum strives to produce relevant and needed
security skills and competency by practitioners of functional specialties other than IT
security (e.g., management, systems design and development, acquisition, auditing).

The »Education« level integrates all of the security skills and competencies of the various
functional specialties into a common body of knowledge, adds a multi-disciplinary study
of concepts, issues, and principles (technological and social), and strives to produce IT
security specialists and professionals capable of vision and pro-active response.

There are three major steps in the development of an IT security awareness and training program – designing the program (including the development of the IT security awareness and training program plan), developing the awareness and training material, and implementing the program.

An awareness and training program may be designed, developed, and implemented in many different ways. Three common approaches or models are described below:
*[
[Model 1: Centralized policy, strategy, and implementation;]
[Model 2: Centralized policy and strategy, distributed implementation; and]
[Model 3: Centralized policy, distributed strategy and implementation.]
]*

Evaluating training effectiveness is a vital step to ensure that the training delivered is meaningful.
Training is “meaningful” only when it meets the needs of both the student (employee) and the
organization. If training content is incorrect, outdated, or inappropriate for the audience, the
training will not meet student or organizational needs. If the delivery vehicle (e.g., classroom or
computer-based training) is inappropriate, either in relation to the simplicity/complexity of the
content or to the type of audience—or if there is an inadequate mix of vehicles in an agency’s
overall training program—the training will not meet needs. Spending time and resources on
training that does not achieve desired effects can reinforce, rather than dispel, the perception of
security as an obstacle to productivity. Further, it can require the expenditure of far more
resources in data or system recovery after a security incident occurs than would have been spent
in prevention activities.

Meaningfulness, or effectiveness, requires measurement. Evaluating training effectiveness has
four distinct but interrelated purposes -- to measure:
*[
[The extent to which conditions were right for learning and the learner’s subjective
satisfaction;]
[What a given student has learned from a specific course or training event, i.e., learning
effectiveness;]
[A pattern of student outcomes following a specific course or training event; i.e., teaching
effectiveness; and]
[The value of the specific class or training event, compared to other options in the context
of an agency’s overall IT security training program; i.e., program effectiveness.]
]*

An evaluation process should produce four types of measurement, each related to one of
evaluation’s four purposes, as appropriate for three types of users of evaluation data:
*[
[First, evaluation should yield information to assist the employees themselves in assessing
their subsequent on-the-job performance.]
[Second, evaluation should yield information to assist the employees’ supervisors in
assessing individual students’ subsequent on-the-job performance.]
[Third, it should produce trend data to assist trainers in improving both learning and
teaching.]
[Finally, it should produce return-on-investment statistics to enable responsible officials
to allocate limited resources in a thoughtful, strategic manner among the spectrum of IT
security awareness, security literacy, training, and education options for optimal results
among the workforce as a whole.]
]*

“Security Awareness” is explicitly required for ALL employees, whereas “Security Basics
and Literacy” is required for those employees, including contractor employees, who are
involved in any way with IT systems. In today’s environment this typically means all
individuals within the organization.

The “Security Basics and Literacy” category is a transitional stage between “Awareness”
and “Training.” It provides the foundation for subsequent training by providing a
universal baseline of key security terms and concepts.

After “Security Basics and Literacy,” training becomes focused on providing the
knowledges, skills, and abilities specific to an individual’s “Roles and Responsibilities
Relative to IT Systems.” At this level, training recognizes the differences between
beginning, intermediate, and advanced skill requirements.

The ›Education and Experience‹ level focuses on developing the ability and vision to
perform complex multi-disciplinary activities and the skills needed to further the IT
security profession and to keep pace with threat and technology changes.

Learning achieved through a single awareness activity tends to be short-term, immediate, and
specific. Training takes longer and involves higher-level concepts and skills. For example, if a
learning objective is “to facilitate the increased use of effective password protection among
employees,” an awareness activity might be the use of reminder stickers for computer keyboards.
A training activity might involve computer-based instruction in the use of passwords, parameters,
and how to change the passwords for organization systems.

Effective IT security awareness presentations must be designed with the recognition that people
tend to practice a tuning-out process called acclimation. If a stimulus, originally an attentiongetter,
is used repeatedly, the learner will selectively ignore the stimulus. Thus, awareness
presentations must be on-going, creative, and motivational, with the objective of focusing the
learner’s attention so that the learning will be incorporated into conscious decision-making. This
is called assimilation, a process whereby an individual incorporates new experiences into an
existing behavior pattern.

Learning achieved through a single awareness activity tends to be short-term, immediate, and
specific. Training takes longer and involves higher-level concepts and skills. For example, if a
learning objective is “to facilitate the increased use of effective password protection among
employees,” an awareness activity might be the use of reminder stickers for computer keyboards.
A training activity might involve computer-based instruction in the use of passwords, parameters,
and how to change the passwords for organization systems.